Control: 1.15 Ensure storage service-level admins cannot delete resources they manage

Description

To apply the separation of duties security principle, one can restrict service-level administrators from being able to delete resources they are managing. It means service-level administrators can only manage resources of a specific service but not delete resources for that specific service.

Example policies for global/tenant level for block volume service-administrators:

Allow group VolumeUsers to manage volumes in tenancy where request.permission!='VOLUME_DELETE'
Allow group VolumeUsers to manage volume-backups in tenancy where request.permission!='VOLUME_BACKUP_DELETE'

Example policies for global/tenant level for file storage system service-administrators:

Allow group FileUsers to manage file-systems in tenancy where request.permission!='FILE_SYSTEM_DELETE'
Allow group FileUsers to manage mount-targets in tenancy where request.permission!='MOUNT_TARGET_DELETE'
Allow group FileUsers to manage export-sets in tenancy where request.permission!='EXPORT_SET_DELETE'

Example policies for global/tenant level for object storage system service- administrators:

Allow group BucketUsers to manage objects in tenancy where request.permission!='OBJECT_DELETE'
Allow group BucketUsers to manage buckets in tenancy where request.permission!='BUCKET_DELETE'

Remediation

From Console

1. Login to OCI Console.
2. Go to Identity -> Policies, In the compartment dropdown, choose the compartment. Open each policy to view the policy statements.
3. Add the appropriate where condition to any policy statement that allows the storage service-level to manage the storage service.